Early in my career I worked for small manufacturers. As my career progressed and I gained experience, I saw a need to make basic security concepts more consumable to small manufactures. This list, based on my experience and helpful guidance from the NIST CSWP 28 Security Segmentation in a Small Manufacturing Environment, offers what I hope will be a good place to start.

Securing OT networks doesn’t have to break the bank. Many manufacturers struggle with competing demands, opting to keep production running and budgets focused on output over security. With a strategic focus on basic networking and security best practices, while leveraging free and open-source tools, small manufacturers can enhance their OT network security without a substantial investment. Here are five budget-friendly OT networking improvements I recommend to small manufacturers.

1. Asset Inventory

Small manufacturers have been growing their OT networks without much capital investment or strategy for decades. Focusing on production first has left them a flat, unmanaged network with numerous connections and limited visibility into what is on their network.

Recommendations:

• Scan and Inventory: Leverage free tools for asset discovery. Your existing vendors may offer automation tools to collect and export details. You can use a SPAN port on a managed or lightly managed switch with Wireshark to identify assets. With tools like Angry IP and Nmap, you can lightly scan and identify assets. Even without these tools, a survey of all network and controls cabinets can yield a list of most devices in a few days.

 

• Organize and Document: Use the information collected from your tools and survey to develop an IP/VLAN spreadsheet focusing on the subnets you have in your environment, what VLANs are used and basic details: manufacturers, model, firmware, etc. Use this sheet to issue new IP addresses to avoid conflicts and track changes over time.

 

• Continually Review: Re-scan and survey periodically to capture any changes to your network.

2. Network Segmentation

Plants simply run out of IPs as they scale. This is happening more often with the rise in more IP-connected devices than ever before. A helpful IT admin may set up another VLAN to allow these networks to scale. But, again, the focus is on getting production up and running. Without a proper segmentation plan, a breeding ground for lateral movement emerges—making the network vulnerable to ransomware attacks. If your network is small, now is the time to start segmenting.

Recommendations:

• Segment: Segmentation is potentially the number one thing you can do to significantly reduce the damage to your network in the event of an incident. If you don’t have VLANs, start by segmenting areas by line, area or system—keeping critical, time-dependent communication grouped to the same VLAN. Document and implement new access control lists (ACLs) from that VLAN should it need to communicate to other assets in other VLANs. Netminer is a good tool for this, in conjunction with Wireshark and a SPAN port, to collect PCAPs to quickly identify these conversations and develop ACLs. Consider separating existing critical assets from systems and devices they don’t need to talk to—especially assets remotely accessed—to help support other systems. This can often be done over a weekend or during pre-planned outages. Keep in mind that as your manufacturing spaces grow in complexity, separating assets will become more difficult after the fact.

 

• Make Continual Improvements: If you are ready for something beyond ACLs, investigate a small industrial firewall. Or work with IT to share or provide an enterprise-firewall to further isolate OT from IT. The NIST CSWP 28 and even the Cisco – Rockwell – Panduit CPwE provide further guidance as you look for your own budget-friendly improvements based on your environment.

3. Password Management

During assessments we often see passwords on sticky notes or in files on desktops. Users also tend to leverage simple, non-rotated passwords or default passwords. Compromised or default credentials could be the starting point for an attacker to gain access to your OT environment or manipulate assets.

Recommendations:

• Use Password Managers: Leverage a free or subscription-based password manager like Bitwarden or 1password. Keep passwords separate from any personal managers to avoid bad OPSEC. Don’t store domain or admin credentials; these should be limited to a few users and be committed to memory.

 

• Manage Access: Do not share accounts. This increases accountability when using shared resources. Accounts should be individually managed and assigned privileges.

4. Security Awareness Training

Problem: Most security awareness training focuses on IT systems, email and Office applications, but does not address OT concerns.

Recommendations:

• Invest in Training: Leverage free or inexpensive training resources and hands-on simulations focused on educating employees about cybersecurity best practices. YouTube videos and subscriptions on Coursera, Udemy, Pluralsight, LinkedIn and more can provide a good foundation. Resources like NIST or MITRE ATT&CK outline security frameworks and attack vectors to give your business a common reference language. Most automation vendors offer some form of training and services as well. Take the time to explore your options.

 

• Leverage Existing Knowledge: If your IT department publishes any awareness training, reach ask them if their provider offers any OT content. Build a cadence with IT security staff to leverage their expertise and apply it to your OT network.

5. Incident Response and Recovery

Problem: Hope, while comforting and reassuring, is not a strategy. Don’t look at the odds and hope you won’t end up with some malware or some other sort of compromise. If you plan for the worst, you can be prepared for a range of common operational outages.

Recommendations:

• Respond: In the event of a ransomware attack, swift and effective incident response is paramount. Isolate the comprised system to prevent further spread. Hopefully, segmentation and the use of ACLs has slowed this down or stopped it altogether, so you would theoretically have less to recover. Have a plan before you need to respond.

 

• Recovery: After isolating the attack, you can start to recover. Backups are crucial here. Leverage existing network storage to maintain regular backups and then copy it manually over to another drive. Keep it off the network or ensure that it is heavily segmented and hardened. I typically do not advise using removeable media, but this might be a good stop gap until you develop a more robust backup and recovery system. Make sure it is regularly scanned by a laptop with endpoint protection, and do not use it for anything else. If you have workstations and standalone PCs, look for free or existing tools to snapshot them to reduce recovery time. Use your inventory as a checklist to track what is critical for backups.

By implementing these budget-friendly OT network improvements, organizations can bolster their security posture and mitigate common threats without the need for significant investment. The best way to get to where you want to go is to start. Waiting for budget approval for large capital improvements can leave the basics unaddressed. Prioritizing these five items will help fortify defenses and minimize the impact of cyberattacks on OT environments. You can build on this foundation and tackle more complex initiatives as the business grows.